From 47e8ab843db5afacdd64714c0b336caecbd07acb Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 16 Jan 2026 17:52:57 +0100
Subject: [PATCH] tls: adds test for tls_cert_notafter keyword

Ticket: 3065
---
 tests/tls/tls-cert-validity/test.yaml | 23 +++++++++++++++++++++++
 tests/tls/tls-cert-validity/tls.rules |  2 ++
 2 files changed, 25 insertions(+)
 create mode 100644 tests/tls/tls-cert-validity/test.yaml
 create mode 100644 tests/tls/tls-cert-validity/tls.rules

diff --git a/tests/tls/tls-cert-validity/test.yaml b/tests/tls/tls-cert-validity/test.yaml
new file mode 100644
index 000000000..493d6c278
--- /dev/null
+++ b/tests/tls/tls-cert-validity/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  min-version: 9
+
+pcap: ../tls-cert-issuer/tls.pcap
+
+checks:
+
+  - filter:
+      count: 4
+      match:
+        event_type: tls
+        tls.notbefore: "2015-02-12T18:07:27"
+        tls.notafter: "2025-02-09T18:07:27"
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 3
diff --git a/tests/tls/tls-cert-validity/tls.rules b/tests/tls/tls-cert-validity/tls.rules
new file mode 100644
index 000000000..71211b48c
--- /dev/null
+++ b/tests/tls/tls-cert-validity/tls.rules
@@ -0,0 +1,2 @@
+alert tls any any -> any any (msg:"Stamus TLS"; tls_cert_notafter:>2015; sid:2; rev:1;)
+alert tls any any -> any any (msg:"Stamus TLS"; tls_cert_notbefore:<2025; sid:3; rev:1;)
-- 
2.47.3